TCP Vulnerability

Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in the TCP protocol, Midnight
Commander (mc), proftpd, OpenOffice, libpng, rsync, LHA, Utempter, X-Chat, and
sysklogd.

TCP Protocol Vulnerability

Weaknesses have been found in the TCP protocol specification. RST
or SYN packets from an attacker can (under some conditions) drop a TCP session;
and an attacker can, in some cases, inject data into a TCP session.

Users should contact their vendors for details on how to mitigate or prevent
these TCP protocol vulnerabilities.

Midnight Commander (mc)

Users should watch their vendors for a repaired version of Midnight Commander
and should consider disabling Midnight Commander until it has been updated.
Repaired packages have been released for Red Hat Linux 9; Debian GNU/Linux;
and Mandrake Linux 10.0, 9.1, 9.2, and Corporate Server 2.1.

Linux/Unix System Administration Certification-- Would you like to polish your system
administration skills online and receive credit from the University of Illinois? Learn how to administer Linux/Unix systems and gain real experience with a root access account. The four-course series covers the Unix file system, networking, Unix services, and scripting.
It's all at the O'Reilly Learning Lab.

proftpd

Version 1.2.9 of the FTP daemon proftpd has a bug in the code that handles
the Allow and Deny directives that can, under some conditions,
allow clients to access files or directories to which should have been denied.

Affected users should downgrade or upgrade to a version of proftpd earlier
or later than version 1.2.9, or watch their vendors for a repaired version.
Repaired packages have been released for Mandrake Linux 10; Trustix Secure
Linux 2.0 and 2.1, and Trustix Secure Enterprise Linux 2;
and OpenPKG CURRENT and OpenPKG 2.0.

OpenOffice

OpenOffice has been reported to be vulnerable due to format-string bugs
in the neon WabDAV client library that can, under some conditions, be exploited
by a remote attacker to execute arbitrary code on the client with the permissions
of the user running OpenOffice.

Users of OpenOffice should upgrade to a version that has been linked against
the neon library with a version of 0.24.5 or newer. Red Hat has released a repaired
package of OpenOffice for Red Hat Linux 9.

libpng

The libpng library contains functions used to create and manipulate PNG (Portable
Network Graphics) image files. A carefully crafted PNG file can be created that
will crash any application linked against libpng, due to a bug in a function
that deals with error messages. This bug is not thought to be exploitable by
an attacker to execute code, but under some conditions it can be used in a denial-of-service attack.

Utempter

The Utempter utility is used by unprivileged applications to update the utmp
and wtmp log files. A directory traversal bug has been discovered in Utempter
that can be used by a local attacker to overwrite arbitrary files using a symbolic-link-based attack. As Utempter runs with root permissions, the files will be
overwritten as if the attacker were root.

Any system with Utempter installed needs to have Utempter upgraded as soon as possible,
to libutempter-1.1.1 or newer. Repaired versions of Utempter have been released
for Slackware Linux 9.1 and Red Hat Linux 9.

rsync

rsync, a faster and more flexible replacement for rcp that provides incremental
file transfers, is reported to be vulnerable to an attack that, under some conditions,
can be used by an attacker to write files outside of the expected path.

All users of rsync should upgrade to version 2.6.1 or newer as soon as possible.
Packages containing a repaired and updated version of rsync have been released
for Trustix Secure Linux 1.5, 2.0, and 2.1, and Trustix Secure Enterprise Linux 2.

LHA

LHA is a compression and archive-creation tool that uses the LHarc format.
Buffer overflows and a directory traversal bug have been found in LHA that can
potentially be used by a remote attacker to execute arbitrary code or write
arbitrary files with the permissions of the user who opens a carefully crafted
LHarc-format archive.

In most cases, users should not open any LHarc-formatted archives until they
have upgraded LHA to a safe version.

X-Chat

X-Chat is an IRC (Internet Relay Chat) client that runs under the X Window
System and can use the GTK+ toolkit or Gnome. A buffer overflow has been found
in the X-Chat code that handles Socks-5 proxies. If a user connects to a
proxy server controlled by an attacker, the attacker can exploit X-Chat to execute
arbitrary code with the permissions of the user. The buffer overflow affects
X-Chat versions 1.8.0 through 2.0.8 if the user connects through Socks-5 proxy
server.

It is recommended that affected users should stop using untrusted Socks-5
proxy servers until they have either applied a patch available from XChat.org
or upgraded X-Chat. Red Hat
has released a repaired package for Red Hat Linux 9.

sysklogd

The sysklogd logging daemon contains a bug that can be used by an attacker
to crash the daemon. This has only been reported as a denial-of-service type of
attack, and it is not known if this vulnerability can be exploited to execute
arbitrary code. The sysklogd package contains the syslogd and klogd daemons.
The syslogd daemon is an improved version of the Berkeley syslogd daemon, and
the klogd daemon handles kernel messages.

Every user of the sysklogd package should upgrade to a repaired version as
soon as possible. Mandrake Linux has released a repaired version of the sysklogd
package.